ubuntu安装consul1.15.2并配置加密

参考文档

1. https://developer.hashicorp.com/consul/downloads
2. https://github.com/hashicorp-education/learn-consul-get-started-vms
   https://developer.hashicorp.com/consul/tutorials/get-started-vms/virtual-machine-gs-deploy

具体操作

1. 下载安装consul

wget https://releases.hashicorp.com/consul/1.15.2/consul_1.15.2_linux_amd64.zip
unzip consul_1.15.2_linux_amd64.zip
cp consul /usr/bin/
#测试
consul -h

2. 加密配置

#复制generate_consul_server_config.sh内容
https://github.com/hashicorp-education/learn-consul-get-started-vms/blob/main/scripts/generate_consul_server_config.sh
./generate_consul_server_config.sh
agent-gossip-encryption.hcl
agent-server-acl.hcl
agent-server-secure.hcl
agent-server-specific.hcl
agent-server-tls.hcl
consul-agent-ca-key.pem
consul-agent-ca.pem
dc1-server-consul-0-key.pem
dc1-server-consul-0.pem

启动consul服务

consul agent -node=consul -bind=x.x.x.x -config-dir=config/ -client=0.0.0.0 -ui 

3. ACL 权限分配
   https://developer.hashicorp.com/consul/docs/security/acl/acl-policies

#生成超级管理员
consul acl bootstrap --format json > ./acl-token-bootstrap.json

在http://x.x.x.x:8500/ui/dc1/acls/policies界面即可管理token权限

4. 生成客户端证书

https://developer.hashicorp.com/consul/tutorials/security-operations/tls-encryption-openssl-secure#configure-the-consul-cli-for-https

openssl x509 -req -in cli.client.dc1.consul.csr -CA consul-agent-ca.pem -CAkey consul-agent-ca-key.pem -out cli.client.dc1.consul.crt

consul members -http-addr="[https://server.dc1.consul:8443](https://server.dc1.consul:8443)" -ca-file="consul-agent-ca.pem" -client-cert="cli.client.dc1.consul.crt" -client-key="cli.client.dc1.consul.key"